cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3387
Views
0
Helpful
12
Replies

Cisco Switch and Router cannot traceroute outside ASA firewall

b3nni3
Level 1
Level 1

Hi,

I need help. I have 1 switch, 1 router, and 1 ASA firewall. All of them are in the same network. It can ping to each other as well. But whenever I try to traceroute 8.8.8.8 or 4.2.2.2 from my switch or router, it's only giving me a dead hop (* * *). Any idea how to make this work?

 

I did some research already. I setup the ICMP permission to ASA. I already added the "inspect ICMP" as well. But still nothing.

 

Thank you in advance!

12 Replies 12

Mohsin Alam
Cisco Employee
Cisco Employee

The ASA, as default does not decrement the TTL when tracerouting through the firewall. 

policy-map global_policy
class class-default
set connection decrement-ttl


## Make sure to mark post as helpful, If it resolved your issue. ##

 





## Make sure to mark post as helpful, If it resolved your issue. ##

There are multiple things that might cause this behavior. My first guess is that the issue is about network address translation. Have you configured address translation on the ASA for the inside subnets?

HTH

Rick

Hi Richard,

Thank you for responding.

 

No. Actually, the devices are already configured before I started working on it. I'm not sure how to check the NAT configuration on ASA. I have ASDM for my ASA. Can you tell me how to check it? Thank you. I'm kinda new with this.

 

Thank you.

Hello,

 

try and get to the command line, if you do a 'debug icmp trace" you should see entries with the keywords 'translating' and 'untranslating', this should tell you if the traceroutes are being NATted.

 

Make sure the inbound ACL applied to your outside interface has these lines:

 

access-list OUTSIDE__TO_INSIDE extended permit icmp any any echo-reply
access-list OUTSIDE_TO_INSIDE extended permit icmp any any time-exceeded
access-list OUTSIDE_TO_INSIDE extended permit icmp any any unreachable
access-group OUTSIDE_TO_INSIDE in interface OUTSIDE

Hi Georg,

Thanks for the response. This is what i'm getting when I ran the 'debug icmp trace':

 

fln-gw-mp(config)# debug icmp trace
debug icmp trace enabled at level 1
fln-gw-mp(config)# ICMP echo request from 10.33.2.33 to 172.18.56.50 ID=13077 seq=0 len=4
Denied ICMP type = 8, code = 0 from 10.33.2.33on interface 4
Denied ICMP type = 13, code = 0 from 10.33.2.33on interface 4
Denied ICMP type = 17, code = 0 from 10.33.2.33on interface 4
ICMP echo request from 10.33.2.33 to 172.18.56.50 ID=5987 seq=0 len=4
Denied ICMP type = 8, code = 0 from 10.33.2.33on interface 4
Denied ICMP type = 13, code = 0 from 10.33.2.33on interface 4
Denied ICMP type = 17, code = 0 from 10.33.2.33on interface 4

 

and keeps going with the same result. 

 

"Make sure the inbound ACL applied to your outside interface has these lines:

 

access-list OUTSIDE__TO_INSIDE extended permit icmp any any echo-reply
access-list OUTSIDE_TO_INSIDE extended permit icmp any any time-exceeded
access-list OUTSIDE_TO_INSIDE extended permit icmp any any unreachable
access-group OUTSIDE_TO_INSIDE in interface OUTSIDE"

 

I added these lines to my ASA. Btw, I am doing the traceroute from my router to 4.2.2.2 or 8.8.8.8

 

Thank you.

 

Hi Mohsiala,

This is what I currently have on my Policy-Map:

fln-gw-mp# show run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
class flow_export_class
flow-export event-type all destination 172.20.100.104
class class-default
inspect icmp
set connection decrement-ttl


I've already added that line on my ASA. When I tried to ping 4.2.2.2 from my router, it's still giving me * * *.

 

Thank you for responding.

Add additional ACE to the ACL previously configured, to permit ICMP Type 3 (destination unreachable) and 11 (time exceeded).

 

 


## Make sure to mark post as helpful, If it resolved your issue. ##

 





## Make sure to mark post as helpful, If it resolved your issue. ##

Hi Mohsiala,

Here's my current access-list:

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_access_in; 5 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit ip any any (hitcnt=0) 0x7e78c5c4
access-list outside_access_in line 2 remark ICMP type 11 for Windows Traceroute
access-list outside_access_in line 3 remark ICMP type 3 for Cisco and Linux
access-list outside_access_in line 4 extended permit udp any any (hitcnt=0) 0x7833b6a0
access-list outside_access_in line 5 extended permit icmp any any time-exceeded (hitcnt=0) 0x03690eb3
access-list outside_access_in line 6 extended permit icmp any any unreachable (hitcnt=0) 0x5c2fa603
access-list outside_access_in line 7 extended permit icmp any any (hitcnt=0) 0x71af81e1
access-list inside_access_in; 1 elements; name hash: 0x433a1af1
access-list inside_access_in line 1 extended permit ip any any (hitcnt=1181336) 0xa925365e
access-list outside802_access_in; 4 elements; name hash: 0xe632b8e4
access-list outside802_access_in line 1 extended permit ip any any (hitcnt=0) 0x17b78e19
access-list outside802_access_in line 2 extended permit icmp any any (hitcnt=0) 0xc6edd4b2
access-list outside802_access_in line 3 extended permit icmp any any time-exceeded (hitcnt=0) 0xbaf5ccc3
access-list outside802_access_in line 4 extended permit icmp any any unreachable (hitcnt=0) 0xa7860ded
access-list inside_1_access_in; 4 elements; name hash: 0x8c246f8
access-list inside_1_access_in line 1 extended permit ip any any (hitcnt=99083) 0xbb69a721
access-list inside_1_access_in line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0xad31bf9a
access-list inside_1_access_in line 3 extended permit icmp any any unreachable (hitcnt=0) 0x53e2d0ba
access-list inside_1_access_in line 4 extended permit icmp any any (hitcnt=0) 0x44dc91df
access-list inside_2_access_in; 4 elements; name hash: 0x10210457
access-list inside_2_access_in line 1 extended permit ip any any (hitcnt=0) 0x9caee8f4
access-list inside_2_access_in line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0xc096d641
access-list inside_2_access_in line 3 extended permit icmp any any unreachable (hitcnt=0) 0x5486f377
access-list inside_2_access_in line 4 extended permit icmp any any (hitcnt=0) 0x909b529a
access-list ICMP; 2 elements; name hash: 0x2d2cf426
access-list ICMP line 1 extended permit udp any any (hitcnt=0) 0x8b41bf93
access-list ICMP line 2 extended permit icmp any any (hitcnt=0) 0x346eddbd
access-list inside_1_access; 1 elements; name hash: 0x8afa5c7e
access-list inside_1_access line 1 extended permit icmp any any (hitcnt=0) 0xf10297e5
access-list inside_2_access; 1 elements; name hash: 0xb2a6e6f4
access-list inside_2_access line 1 extended permit icmp any any (hitcnt=0) 0x3e609775
access-list traceroute; 2 elements; name hash: 0xd1b5cabe
access-list traceroute line 1 remark Allow traceroute
access-list traceroute line 2 extended permit icmp any any time-exceeded log informational interval 300 (hitcnt=0) 0xeee68b6c
access-list traceroute line 3 remark Allow traceroute
access-list traceroute line 4 extended permit icmp any any unreachable log informational interval 300 (hitcnt=0) 0x1673baf1

 

I ran the arp table, and it gives me 2 inside (router & switch) and 1 outside (ASA). I created a new group called "traceroute" because i'm very confused. Should I just permit ICMP type 3 and 11 to "traceroute" access-group with any any?

 

Please show me the command that I need to use. Thank you.

something like this :

 

access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable

 


## Make sure to mark post as helpful, If it resolved your issue. ##

 

 





## Make sure to mark post as helpful, If it resolved your issue. ##

Hi Mohsiala,

I've already added those lines on my ASA, but it's still not working when I'm trying to traceroute from Switch/Router > 4.2.2.2 or 8.8.8.8

I'm trying to add the set connection decrement-ttl to "class inspection_default" but it's giving me error.

 

Any other ideas why it's unable to allow or show me traceroute?

Thank you for responding.

The debug output posted is interesting 

ICMP echo request from 10.33.2.33 to 172.18.56.50 ID=5987 seq=0 len=4
Denied ICMP type = 8, code = 0 from 10.33.2.33on interface 4
Denied ICMP type = 13, code = 0 from 10.33.2.33on interface 4
Denied ICMP type = 17, code = 0 from 10.33.2.33on interface 4

Is the source address 10.33.2.33 your router? The destination is not the addresses you have referenced. What is it? What is interface 4?

HTH

Rick

hi,

can you post your ASA 'show nameif' and 'show run access-group'?

Review Cisco Networking for a $25 gift card